Android one-click Google authentication method puts users, businesses at risk

Lucian Constantin, IDG News Service - PCWorld
Aug 5, 2013 5:53 AM
 
http://images.techhive.com/images/article/2013/06/cloud-security-100042361-medium.jpg
 
A feature that allows Android users to authenticate themselves on Google websites without having to enter their account password can be abused by rogue apps to give attackers access to Google accounts, a security researcher showed Saturday at the Defcon security conference in Las Vegas.

The feature is called "weblogin" and works by generating a unique token that can be used to directly authenticate users on Google websites using the accounts they have already configured on their devices.

Weblogin provides a better user experience but can potentially compromise the privacy and security of personal Google accounts, as well as Google Apps accounts used by businesses, Craig Young, a researcher at security firm Tripwire, said during his talk.
Most Android antivirus products from well known vendors didn't detect the app as malware either.
Young created a proof-of-concept rogue app that can steal weblogin tokens and send them back to an attacker who can then use them in a Web browser to impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other Google services.

The app was designed to masquerade as a stock viewing app for Google Finance and was published on Google Play, with a description that clearly indicated it was malicious and shouldn't be installed by users.

 
Full Article
 
TH